We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Describe the bug yarn audit shows a high severity vulnerability coming from axios on an install of the latest stellar-sdk version.
yarn audit
To reproduce:
$ yarn init -y && yarn add stellar-sdk && yarn audit yarn init v1.22.10 warning The yes flag has been set. This will automatically answer yes to all questions, which may have security implications. success Saved package.json Done in 0.03s. yarn add v1.22.10 info No lockfile found. [1/4] Resolving packages... warning stellar-sdk > axios@0.19.2: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410 [2/4] Fetching packages... [3/4] Linking dependencies... [4/4] Building fresh packages... success Saved lockfile. success Saved 39 new dependencies. info Direct dependencies └─ stellar-sdk@7.0.0 info All dependencies ├─ @types/eventsource@1.1.5 ├─ @types/node@14.14.20 ├─ @types/randombytes@2.0.0 ├─ @types/urijs@1.19.13 ├─ axios@0.19.2 ├─ base32.js@0.1.0 ├─ base64-js@1.5.1 ├─ buffer@5.7.1 ├─ crc@3.8.0 ├─ cursor@0.1.5 ├─ debug@3.1.0 ├─ detect-node@2.0.4 ├─ es6-promise@4.2.8 ├─ eventsource@1.0.7 ├─ follow-redirects@1.5.10 ├─ ieee754@1.2.1 ├─ inherits@2.0.4 ├─ ini@1.3.8 ├─ js-xdr@1.2.0 ├─ lodash@4.17.20 ├─ long@2.4.0 ├─ ms@2.0.0 ├─ nan@2.14.2 ├─ node-gyp-build@4.2.3 ├─ original@1.0.2 ├─ querystringify@2.2.0 ├─ randombytes@2.1.0 ├─ requires-port@1.0.0 ├─ safe-buffer@5.2.1 ├─ sha.js@2.4.11 ├─ sodium-native@2.4.9 ├─ stellar-base@4.0.3 ├─ stellar-sdk@7.0.0 ├─ toml@2.3.6 ├─ tslib@1.14.1 ├─ tweetnacl@1.0.3 ├─ urijs@1.19.5 ├─ url-parse@1.4.7 └─ utility-types@3.10.0 Done in 1.64s. yarn audit v1.22.10 ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ high │ Server-Side Request Forgery │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ axios │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=0.21.1 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ stellar-sdk │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ stellar-sdk > axios │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1594 │ └───────────────┴──────────────────────────────────────────────────────────────┘ 1 vulnerabilities found - Packages audited: 40 Severity: 1 High Done in 1.54s.
What version are you on? 7.0.0
7.0.0
To Reproduce See above
Expected behavior Yarn audit does not detect any high severity vulnerabilities.
Additional context Upgrading axios to >=0.21.1 should be sufficient.
>=0.21.1
The text was updated successfully, but these errors were encountered:
Upgrade axios in response to vulnerability (#605)
65323e0
7a3c409
Successfully merging a pull request may close this issue.
Describe the bug
yarn audit
shows a high severity vulnerability coming from axios on an install of the latest stellar-sdk version.To reproduce:
What version are you on?
7.0.0
To Reproduce
See above
Expected behavior
Yarn audit does not detect any high severity vulnerabilities.
Additional context
Upgrading axios to
>=0.21.1
should be sufficient.The text was updated successfully, but these errors were encountered: